In this article, we’ll help you reflect on some of the important questions and make sure you are ready to kick-start and succeed with your training.
What is it you want to achieve?
First, it’s important that you consider what it is you want to achieve as there can be several effects from security awareness training. Goals could be:
- Fewer amount of data and security breaches
- GDPR compliance or other compliance-based effects
- Building a security culture where all employees feel empowered and safe to speak up if they spot a breach
- Something completely different
Whatever your goal is, it also affects how to use the training. If it’s “just” to tick off a compliance checkmark, then that’s fine. You can send out a course every second month and go to bed…
But you probably won’t reach the full potential of the training.
See the training as culture change
In our eyes, awareness training is a tool to create a security culture. It’s not the only tool, but a part of a all your security work, just like phishing training is. If you want to succeed in creating a security culture you can’t just send out some courses and forget about them.
You need to follow up and create the processes and space for people to succeed in creating security.
It might not be the easiest to measure, but rarely is employer security and behavior.
Here’s an example of why it’s difficult to measure: We’ve had customers who wanted to see fewer reported security breaches, as a result of awareness training, because they thought this would indicate a stronger security culture with less mistakes. But they actually ended up with MORE reported breaches than before the training. This raised some eyebrows but it actually turned out to be a good thing.
It turned out, the reason for the increased amount of security breaches was, that employees actually spotted and reported the breaches. The increase in breaches was not because of actually more breaches, but employees reacting on breaches.
The training was a success, as employees actively helped and strengthened the security.
This is why we recommend looking at the whole thing as culture. Measure the effect by observing your company.
- Is security a part of everyday life?
- Do people talk about it?
- Do people report breaches?
- Do they ask if they are in doubt of something?
- Do they warn each other about phishing emails?
If you can begin to say yes to these questions, it’s because the awareness program and your other initiatives are working.
Do you have any previous experience with training and cyber security?
It can also be a good idea to think about what experience you already have when it comes to training your colleagues in cyber security.
- How did it go?
- What are your key take aways from the training?
- What was the theme of the training? (e.g., if the training was about updating sofware, it might not be necessary to send out a course about that in the near future)
We are also curious to hear about your previous experiences as it help us create the best awareness-training program for your needs.
What courses do you want?
Lastly, it can also be a good idea to think about what experience you already have when it comes to training your colleagues in cyber security.
- How did it go?
- What are your key take aways from the training?
- What was the theme of the training? (e.g., if the training was about updating sofware, it might not be necessary to send out a course about that in the near future)
We are also curious to hear about your previous experiences as it help us create the best awareness-training program for your needs.
Got a question?
Contact us at support@cyberpilot.io